Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang, 2008-12-9.

Published byAnis Simmons Modified over 9 years ago

Similar presentations

Presentation on theme: "A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang, 2008-12-9."— Presentation transcript:

1 A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang, 2008-12-9

2 Conference & Authors CCS 08’ Newcastle University, UK – Jeff Yan – Ahmad Salah El Ahmad

3 Outline Introduction Segmentation Attack on MSN Scheme Experimental Result Suggestion on Countermeasures Conclusion

4 What is CAPTCHA Completely Automated Public Turing Test to Tell Computers and Humans Apart – CAPTCHA is a brand registered by CMU 2. Image-based CAPTCHA Choose a word that relates to all the images. 1. Text-based CAPTCHA: Type the Letter in the image

5 Challenges in CAPTCHA Design Usability: Easy to use/deploy – Text-based CAPTCHAs are widely used. Security: Defend Internet bot programs – < 0.01% expected success rate for automatic scripts – Computer are good at recognizing individual letters success rate > 95% for following images – However, state-of-art methods are not good at locating these individual characters.

6 ‘Common Knowledge’ & Terminology If breaking a text-based CAPTCHA can be successfully reduced to a problem of individual character recognition, then this scheme is effectively broken. – This paper addresses a low-cost technique to locate these individual characters. – This kind of attacks are called segmentation attacks. – Every secure text-based CAPTCHA should be segmentation resistance against segmentation attacks. – Each CAPTCHA test can be referred to as challenge.

7 Main Target & Basic Idea (1/3) MSN scheme: “a very good scheme, since 2002” – 8 uppercase letters or digits – Two color, foreground and background – Local and global warping Local: foil algorithms using thickness or serif features Global: foil algorithms using template matching – 3 kinds of random arc Thick foreground arc Thin foreground arc Thin background arc

8 Main Target & Basic Idea (2/3) Task: – remove random arcs and find character boundaries Key Observations: – A character contain more pixel than an arcs. – A character consisted of connected strokes. – A character cannot be too flat or too wide. – Arcs usually don’t form a circle. – Characters are juxtaposed according to some base line.

9 Main Target & Basic Idea (3/3) Attack Steps – 1. Transform the CAPTCHA image into a black-white image using a manually selected threshold – 2. Reconnect disconnected strokes by removing thin back ground arcs. (Filling gap less than 2 pixel) – 3. partition the image by bit counting and connected component detection. – 4. Remove thick foreground arcs by information on pixel count, location, shape, interplay between shape and location. – 5. Divide evenly for remaining wide fragment into estimated parts.

10 An Example (1/3) 1. Remove color – Image Binarizing 2. Reconnect disconnected strokes

11 An Example (2/3) 3a. Counting bit – Vertical Segment (VS) 3b. Find connected components – Color Filling Segmentation (CFS)

12 An Example (3/3) 4. Remove thick foreground arcs Too few pixel, no circle, far from the base line base line Enough pixel, but no circle, far from the base line 5. Even cutGuess the number of letters in wide partition

13 Experimental Result Hardware – 1.86GHz Intel Core 2 CPU – 2G RAM Assume success rate >95% for recognizing individual character. Use 500 random samples from websites. 92% for segmentation attack on MSN scheme – Breaking rate > 0.92 * (0.95^8) = 61% 77% for Yahoo CAPTCHA, average text length is 5 – Breaking rate > 0.77 * (0.95^5) = 60% 12% for Google CAPTCHA, average text length is 6.25 – Breaking rate > 0.12 * (0.95^6.25) = 8.7%

14 Comparison between State-of-art segmentation resistance mechanisms Microsoft Style: random arcs as false characters Yahoo Style: random angled connecting lines. Google Style: crowding characters together. Vulnerable to connected- component-based segmentation attacks Good Enough?

15 Usability Problem for Crowding c + l = d ? r + n = m ? v + v = w ? Any idea about 2 nd Character?

16 Suggestion on Countermeasures Crowding characters together is good, but should be used carefully to avoid confusing characters. Make it harder to tell characters and arcs apart by juxtaposing them in any directions. Make guessing the number of letters and even cut inefficient by using randomly varied widths for characters.

17 Conclusion Segmentation resistance is a sound principle, but the design details are more critical. This paper demonstrate new methods for evaluating the strength of segmentation resistance mechanisms. Future work – Universal segmentation attack for all text-based CAPTCHAs – design a toolbox for evaluating the strength of CAPTCHAs

18 Q & A Thanks

Download ppt "A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang, 2008-12-9."

Similar presentations

COMPUTER MALWARE FINAL PROJECT PROPOSAL THE WAR AGAINST CAPTCHA WITH IMPLEMENTATION OF THE WORLDS MOST ACCURATE CAPTCHA BREAKER By Huy Truong & Kathleen.

COMPUTER MALWARE FINAL PROJECT PROPOSAL THE WAR AGAINST CAPTCHA WITH IMPLEMENTATION OF THE WORLDS MOST ACCURATE CAPTCHA BREAKER By Huy Truong & Kathleen.
Michele Merler Jacquilene Jacob.  Applications online are inherently insecure  Growing rate of hackers  Confidentiality of online systems should be.

Michele Merler Jacquilene Jacob.  Applications online are inherently insecure  Growing rate of hackers  Confidentiality of online systems should be.
QR Code Recognition Based On Image Processing

QR Code Recognition Based On Image Processing
Word Spotting DTW.

Word Spotting DTW.
Prénom Nom Document Analysis: Document Image Processing Prof. Rolf Ingold, University of Fribourg Master course, spring semester 2008.

Prénom Nom Document Analysis: Document Image Processing Prof. Rolf Ingold, University of Fribourg Master course, spring semester 2008.
CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart A Computer Program that can generate and grade test that: Most Humans.

CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart A Computer Program that can generate and grade test that: Most Humans.
Identifying Image Spam Authorship with a Variable Bin-width Histogram-based Projective Clustering Song Gao, Chengcui Zhang, Wei Bang Chen Department of.

Identifying Image Spam Authorship with a Variable Bin-width Histogram-based Projective Clustering Song Gao, Chengcui Zhang, Wei Bang Chen Department of.
DIGITAL IMAGE PROCESSING

DIGITAL IMAGE PROCESSING
Human-Computer Interaction Human-Computer Interaction Segmentation Hanyang University Jong-Il Park.

Human-Computer Interaction Human-Computer Interaction Segmentation Hanyang University Jong-Il Park.
Breaking CAPTCHA By Willer Travassos. What it is CAPTCHA? CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

Breaking CAPTCHA By Willer Travassos. What it is CAPTCHA? CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.
Breaking an Animated CAPTCHA Scheme

Breaking an Animated CAPTCHA Scheme
A new face detection method based on shape information Pattern Recognition Letters, 21 (2000) 463-471 Speaker: M.Q. Jing.

A new face detection method based on shape information Pattern Recognition Letters, 21 (2000) Speaker: M.Q. Jing.
Text Detection in Video Min Cai 2002.3.13. Background  Video OCR: Text detection, extraction and recognition  Detection Target: Artificial text  Text.

Text Detection in Video Min Cai Background  Video OCR: Text detection, extraction and recognition  Detection Target: Artificial text  Text.
Jeff Yan School of Computing Science Newcastle University, UK (Joint work with Ahmad Salah El Ahmad) Usability of CAPTCHAs Or “usability issues in CAPTCHA.

Jeff Yan School of Computing Science Newcastle University, UK (Joint work with Ahmad Salah El Ahmad) Usability of CAPTCHAs Or “usability issues in CAPTCHA.
Processing Digital Images. Filtering Analysis –Recognition Transmission.

Processing Digital Images. Filtering Analysis –Recognition Transmission.
Chinese Character Recognition for Video Presented by: Vincent Cheung Date: 25 October 1999.

Chinese Character Recognition for Video Presented by: Vincent Cheung Date: 25 October 1999.
Fitting a Model to Data Reading: 15.1,

Fitting a Model to Data Reading: 15.1,
Smart Traveller with Visual Translator. What is Smart Traveller? Mobile Device which is convenience for a traveller to carry Mobile Device which is convenience.

Smart Traveller with Visual Translator. What is Smart Traveller? Mobile Device which is convenience for a traveller to carry Mobile Device which is convenience.
California Car License Plate Recognition System ZhengHui Hu Advisor: Dr. Kang.

California Car License Plate Recognition System ZhengHui Hu Advisor: Dr. Kang.
Computer Vision Group University of California Berkeley Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA Greg Mori and Jitendra Malik.

Computer Vision Group University of California Berkeley Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA Greg Mori and Jitendra Malik.

Similar presentations

Ads by Google